Signature Detail

SMTP: Invalid ZIP Header in Attachment

This signature detects ZIP files containing invalid header information in SMTP traffic. Attackers can attach a crafted ZIP file to an e-mail. A successful attack requires enticing the target to manually scan the ZIP attachment with a virus scanner, which can lead to remote arbitrary code execution on the target system.

Extended Description

Sophos Anti-Virus is prone to a remote denial of service vulnerability when it is configured to 'Scan inside archive files'. This is not a default setting. The issue exists due to failure of the software to adequately sanitize 'Extra field length' values contained in BZip2 archives. Ultimately this vulnerability may be exploited to conduct a denial of proper service for legitimate users. Attackers may leverage this issue to prevent the software from completing file scans, for files received subsequent to an attack. This may allow the attacker to bypass Anti-Virus scans.

Affected Products

• Sophos Anti-Virus 3.4.6
• Sophos Anti-Virus 3.78.0
• Sophos Anti-Virus 3.78.0 d
• Sophos Anti-Virus 3.79.0
• Sophos Anti-Virus 3.80.0
• Sophos Anti-Virus 3.81.0
• Sophos Anti-Virus 3.82.0
• Sophos Anti-Virus 3.83.0
• Sophos Anti-Virus 3.84.0
• Sophos Anti-Virus 3.85.0
• Sophos Anti-Virus 3.86.0
• Sophos Anti-Virus 3.90.0
• Sophos Anti-Virus 3.91.0
• Sophos Anti-Virus 5.0.1
• Sophos MailMonitor for Notes/Domino
• Sophos MailMonitor for SMTP 2.0.0
• Sophos MailMonitor for SMTP 2.1.0
• Sophos PureMessage Anti-Virus 4.6.0
• Sophos Small Business Suite 1.0.0

References

• BugTraq: 14270
• CVE: CVE-2005-1530
• URL: http://www.idefense.com/application/poi/display?id=283&type=vulnerabilities
• URL: http://www.sans.org/newsletters/risk/display.php?v=4&i=29#05.29.35